CVE-2017-8386
Published: 10 May 2017
git-shell in git before 2.4.12, 2.5.x before 2.5.6, 2.6.x before 2.6.7, 2.7.x before 2.7.5, 2.8.x before 2.8.5, 2.9.x before 2.9.4, 2.10.x before 2.10.3, 2.11.x before 2.11.2, and 2.12.x before 2.12.3 might allow remote authenticated users to gain privileges via a repository name that starts with a - (dash) character.
Notes
| Author | Note |
|---|---|
| tyhicks | Per upstream advisory, 1.6.1 is the earliest version affected |
Priority
Medium
CVSS 3 base score: 8.8
Status
| Package | Release | Status |
|---|---|---|
|
git Launchpad, Ubuntu, Debian |
precise |
Does not exist
|
| trusty |
Does not exist
(trusty was released [1:1.9.1-1ubuntu0.5])
|
|
| upstream |
Released
(1:2.11.0-3)
|
|
| xenial |
Released
(1:2.7.4-0ubuntu1.1)
|
|
| yakkety |
Released
(1:2.9.3-1ubuntu0.1)
|
|
| zesty |
Released
(1:2.11.0-2ubuntu0.1)
|
|
|
Patches: upstream: https://git.kernel.org/pub/scm/git/git.git/commit/?id=3ec804490a265f4c418a321428c12f3f18b7eff5 |
||
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8386
- http://lkml.iu.edu/hypermail/linux/kernel/1705.1/01337.html
- http://lkml.iu.edu/hypermail/linux/kernel/1705.1/01346.html
- https://insinuator.net/2017/05/git-shell-bypass-by-abusing-less-cve-2017-8386/
- https://ubuntu.com/security/notices/USN-3287-1
- NVD
- Launchpad
- Debian